[wp-hackers] thorough admin SSL

Steve Taylor steve at sltaylor.co.uk
Wed Feb 3 21:49:53 UTC 2010


> It depends on what the link is. There isn't a login_footer action but there
> are other options.

I'm trying to be global. As mentioned before in the thread, there's a
good few plugins that I was resorting to hacking. When I thought of
output buffer manipulation, this seemed preferrable to hacking loads
of plugins.

I guess the best option is to use the latest hook in wp-login.php -
which seems to be login_form. Works OK so far...

> You should probably open a ticket (I don't think there is a catch-all one)
> on core.trac.wordpress.org with any links you find in core that don't check
> HTTP v. HTTPS. There are a few functions we we can easily convert links to
> to make sure schema is respected, including home_url(), get_home_url() (as
> of today), admin_url(), includes_url(), etc.

There's this ticket:

http://core.trac.wordpress.org/ticket/3637

There doesn't seem to be much enthusiasm for it. As I've mentioned,
I'm not sure why, this is quite an issue for perceived security.
Anyway, being flat-out, and having found a workaround, I'll have to
postpone cheerleading this cause for another day unfortunately...


More information about the wp-hackers mailing list